Re: [PATCH][v2] proc: use vmalloc for our kernel buffer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/13/20 12:20 PM, Al Viro wrote:
On Thu, Aug 13, 2020 at 05:41:17PM +0200, Christoph Hellwig wrote:
On Thu, Aug 13, 2020 at 11:40:00AM -0400, Josef Bacik wrote:
On 8/13/20 11:37 AM, Christoph Hellwig wrote:
On Thu, Aug 13, 2020 at 11:33:56AM -0400, Josef Bacik wrote:
Since

    sysctl: pass kernel pointers to ->proc_handler

we have been pre-allocating a buffer to copy the data from the proc
handlers into, and then copying that to userspace.  The problem is this
just blind kmalloc()'s the buffer size passed in from the read, which in
the case of our 'cat' binary was 64kib.  Order-4 allocations are not
awesome, and since we can potentially allocate up to our maximum order,
use vmalloc for these buffers.

Fixes: 32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler")
Signed-off-by: Josef Bacik <josef@xxxxxxxxxxxxxx>
---
v1->v2:
- Make vmemdup_user_nul actually do the right thing...sorry about that.

   fs/proc/proc_sysctl.c  |  6 +++---
   include/linux/string.h |  1 +
   mm/util.c              | 27 +++++++++++++++++++++++++++
   3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 6c1166ccdaea..207ac6e6e028 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -571,13 +571,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
   		goto out;
     	if (write) {
-		kbuf = memdup_user_nul(ubuf, count);
+		kbuf = vmemdup_user_nul(ubuf, count);

Given that this can also do a kmalloc and thus needs to be paired
with kvfree shouldn't it be kvmemdup_user_nul?


There's an existing vmemdup_user that does kvmalloc, so I followed the
existing naming convention.  Do you want me to change them both?  Thanks,

I personally would, and given that it only has a few users it might
even be feasible.

FWIW, how about following or combining that with "allocate count + 1 bytes on
the read side"?  Allows some nice cleanups - e.g.
                 len = sprintf(tmpbuf, "0x%04x", *(unsigned int *) table->data);
                 if (len > left)
                         len = left;
                 memcpy(buffer, tmpbuf, len);
                 if ((left -= len) > 0) {
                         *((char *)buffer + len) = '\n';
                         left--;
                 }
in sunrpc proc_dodebug() turns into
		left -= snprintf(buffer, left, "0x%04x\n",
				 *(unsigned int *) table->data);
and that's not the only example.


We wouldn't even need the extra +1 part, since we're only copying in how much the user wants anyway, we could just go ahead and convert this to

left -= snprintf(buffer, left, "0x%04x\n", *(unsigned int *) table->data);

and be fine, right?  Or am I misunderstanding what you're looking for?  Thanks,

Josef



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux